My friends over in Belgium at the /dev/random blog had a good post up the other day called “Everything Can Be Outsourced But Not Your Responsibility“. The post was really about a recent incident regarding Arcelor Mittal which had a website compromised by Anonymous Belgium. The gist of the article was that though in fact Arcelor Mittal had outsourced almost every aspect of the website from design and creation to hosting and maintenance, at the end of the day when something went wrong, all of the outsourcing did not absolve Arcelor Mittal from responsibility.
The same thing is true in Cloud Security. Many organizations think that by outsourcing to the cloud or letting someone else deal with it, they are absolved of responsibility. They are mistaken. While they may have someone to blame, they are still responsible. Outsourcing does not include shifting responsibility. If your name is on it, it is yours. If it breaks, you own it.
So does this mean that outsourcing is a mistake? Of course not. The reasons for outsourcing are many. The outsource provider can do it better, cheaper and/or faster. These are not outweighed by the fact that you still bear ultimate responsibility. What it does mean though is that you should be careful about who you outsource to. This is doubly important when talking about security.
I have been involved with outsourcing and managed security for over 10 years. I remember back in 1999 when a company I helped get started was one of the largest Checkpoint firewall resellers and we managed hundreds of checkpoint boxes. The biggest selling point was that we were better prepared to do the job than our customers were. That fundamental fact has not changed. Customers realize they are responsible. Part of that responsibility is picking the right outsourcing partner and doing your due diligence on your choice.
At Alert Logic this basic tenet still holds true. With over 1500 end user customers and representing over half of the 30 leading hosting/cloud providers you can rest assured that the question of responsibility and due diligence comes up again and again. This is why even though they are a private company they release financials just about every quarter. It is also why they strive to maintain a high level of transparency for the business. Alert Logic’s customers know that even though they outsource their security, they ultimately will bear responsibility. Having someone to blame is not enough.
So the responsibility issue is not a reason to stop your outsourcing. But it does place the burden on any company outsourcing to perform their due diligence on any 3rd party they outsource to.
Related articles
- Everything Can Be Outsourced But Not Your Responsibility! (rootshell.be)
- Regulator’s concern over outsourcing (thehindu.com)
- Hackers hit ArcelorMittal’s Belgian website (expatica.com)
- Cut Costs and Save Money by Outsourcing (savingaddict.com)
